Sunday, June 05, 2016
For my Ethical Hacking and Computer Security students.
How LinkedIn’s password sloppiness hurts us all
Back in 2012, fellow professional password cracker d3ad0ne (who regretfully passed away in 2013) and I made short work out of the first LinkedIn password dump, cracking more than 90 percent of the 6.4 million password hashes in just under one week. Following that effort, I did a short write-up ironically titled The Final Word on the LinkedIn Leak.
But those 6.4 million unique hashes posted on a Russian password-cracking forum in June 2012 only accounted for a fraction of the total LinkedIn database. This second dump, on the other hand, contains 177.5 million password hashes for 164.6 million users, which aligns perfectly with LinkedIn's user count in the second quarter of 2012. After validating the data that I received with several individuals, I concluded that this does appear to be a nearly complete dump of the user table from the 2012 LinkedIn hack.
Also for my Ethical Hacking students. Should Computer Security managers be monitoring sites like this? (Perhaps a business opportunity for someone who would push this information to managers?)
Just as Chris Vickery has tried to focus attention that there are still tens of thousands of misconfigured databases exposing PII and other information that should be protected because port 27017 is open, now TeamGhostShell is also calling attention to the problem – plus other open ports and issues.
… This project will focus solely on this poorly configured MongoDB. I’d like to mention exactly how easy it is to infiltrate within these types of networks but also how chilled sysadmins tend to be with their security measures. Or should I say, lack thereof.
In a lot of instances the owners don’t bother checking for open ports on their newly configured servers, not only that but they also don’t concern themselves with establishing a proper authentication process. (Just a simple username/password)
… ZDNet, ably assisted by Lee Johnstone, provides some comments and analyses of the data dump.
Another common security risk. Excel (and many other common applications) makes this type of error simple to commit, difficult to “see.”
Penn State University recently reported an incident to the New Hampshire Attorney General’s Office that involves a now-defunct club.
According to their report, the university was notified on April 13 that a historical document uploaded to the Undergraduate Law Society‘s web site was a spreadsheet that contained two fields – SSN and DOB – that were not visible on casual inspection, but could be “unhidden” in Excel. The records therefore exposed the SSN and DOB of 379 individuals. Upon notification, the university immediately took the site offline while they investigated.
… They do not explain why the web site of a defunct organization was still online.
PSU notes that although it has no responsibility for what clubs post on their web sites, [Oh really? Bob] in response to this incident, they have started working more closely with student organizations about the importance of protecting personal information, and are encouraging organizations to use the Identity Finder software to locate and then remove personal information.
No government agency would listen to an employee (or contractor) 92 levels below the head of the agency.
By Jason Leopold, Marcy Wheeler, and Ky Henderson report:
On the morning of May 29, 2014, an overcast Thursday in Washington, DC, the general counsel of the Office of the Director of National Intelligence (ODNI), Robert Litt, wrote an email to high-level officials at the National Security Agency and the White House.
The topic: what to do about Edward Snowden.
Snowden’s leaks had first come to light the previous June, when the Guardian’s Glenn Greenwald and the Washington Post’s Barton Gellman published stories based on highly classified documents provided to them by the former NSA contractor. Now Snowden, who had been demonized by the NSA and the Obama administration for the past year, was publicly claiming something that set off alarm bells at the agency: Before he leaked the documents, Snowden said, he had repeatedly attempted to raise his concerns inside the NSA about its surveillance of US citizens — and the agency had done nothing.
Read more on Vice.com.
[From the article:
The trove of more than 800 pages [pdf at the end of this story], along with several interviews conducted by VICE News, offer unprecedented insight into the NSA during this time of crisis within the agency. And they call into question aspects of the US government's long-running narrative about Snowden's time at the NSA.
Not what I expected from France.
Nicolas Rase & Kristof Van Quathem write:
On May 12, 2016, The French High Court (“Cour de Cassation”) rendered a short decision stating that the right to be forgotten does not supersede the freedom of press. In this case, two brothers took legal action against a famous French daily newspaper.
The two individuals requested that their respective names be removed from search results displayed by the newspaper’s website search engine (not a third party search engine such as Google Search or Bing). The newspaper’s search engine indexed a link to an article published in 2006 which reported on a sanction imposed by the Council of State on the two brothers.
The High Court ruled that requiring a media organisation to remove information contained in its articles (the names and surnames of individuals) from its archive or to limit access to such articles by de-indexing links from its search engine exceeds the restrictions that may be imposed on the freedom of press.
Read more on Covington & Burling Inside Privacy.
Moroğlu Arseven writes:
The Turkish Constitutional Court has recently published a decision where it held that an employer monitoring an employee’s institutional email account and using correspondence in court did not violate the employee’s constitutional rights. The court held that the employer had monitored these accounts prudently and with just cause, since it was done to verify allegations that the employee had breached corporate regulations. It noted that monitoring had not gone beyond verification purposes and content of the correspondence was not made public.
Read more on Lexology.
…it depends on where you live. Or where the hack occurs?
Bethany Rupert of King & Spaulding provides additional coverage of an appellate ruling I had previously noted on this site:
On May 20, 2016, the U.S. Court of Appeals for the Eighth Circuit affirmed breach-of-contract claims brought by Minnesota-based State Bank of Bellingham (“Bellingham Bank”) against BancInsure Inc. (“BancInsure”), an insurance company that refused to provide coverage when the bank suffered losses after a criminal third party hacked the bank’s computer system and transferred funds to a foreign bank account.
The case is State Bank of Bellingham v. BancInsure Inc. n/k/a Red Rock Insurance Co., case number 14-3432, in the U.S. Court of Appeals for the Eighth Circuit.
Read more on JDSupra.
(Related) Could a breach bankrupt you?
Lyle Adriano reports that some of P.F. Chang’s breach-related costs are not covered by its insurance:
A federal court ruled that Chubb Ltd. does not have to reimburse P.F. Chang’s for costs the restaurant chain charged by its credit card processor under its cyber policy.
The Federal Court ultimately concluded that on several counts that Federal Insurance is not obligated to reimburse the charges, rationalizing that Bank of America did not suffer from P.F. Chang’s data breach and therefore did not suffer a “privacy injury” the policy could cover.
“The court agrees with Federal; (Bank of America) did not sustain a privacy Injury itself, and therefore cannot maintain a valid claim for injury against Chang’s,” said the ruling.
Read more on Insurance Business America.
When I see stories like this one, I feel particularly concerned for small and medium-sized businesses who really may have no idea what their policies don’t cover and could be totally wiped out by the costs of a breach if their insurer doesn’t cover some things. If you carry cyberinsurance for breach costs, do you know if your policy would cover reimbursement to your card issuer? If you don’t know for absolute sure, this might be a good time to check.
My Computer Security students discussed the security requirements of these Apps last week. Could I order 50 chicken sandwiches and have them delivered to my favorite law professor?
Why Is Chick-fil-A’s App Number One in the App Store?
In late 2014, Taco Bell became the first major fast-food chain to roll out an order-ahead app. Finally, a Fourth Meal habitué could pay ahead, skip the line, join a rewards program, and creatively customize their Nachos Bell Grande without enraging a line of people behind them. Shortly after a very involved launch, Taco Bell even threw free Doritos Locos Tacos at mobile-app users. Despite all the fanfare, the Live Más app, while popular, was never the No. 1 free app in the Apple universe. Because, really, what fast-food ordering app would be?
Earlier this week, Chick-fil-A, the sometimes maligned and beloved chicken chain, introduced its One app, which offered all of the things that Taco Bell’s app does, plus the immediate promise of a free chicken sandwich just for downloading the app. In just three days, the app has been downloaded over a million times and has led the most downloaded free app iTunes tally board since Wednesday, muscling out the likes of Facebook, Snapchat, Instagram, and the (frankly, weird-sounding) multiplayer snake-battle game slither.io.
… “82 percent of millennial parents say they would do almost anything to avoid long lines at fast food restaurants when they are with their children,” the company noted in a press release announcing the launch of the app. “In fact, nearly half (48 percent) said they would rather not eat at all than stand in a line.”
My dad was a fight fan. He said Ali was the best he had ever seen. Good enough for me.
by Sabrina I. Pacifici on Jun 4, 2016
David Remnick, Editor, The New Yorker – The Outsized Life of Muhammad Ali: “Ali, who died Friday, in Phoenix, at the age of seventy-four, was the most fantastical American figure of his era, a self-invented character of such physical wit, political defiance, global fame, and sheer originality that no novelist you might name would dare conceive him.